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a Public key encryption SYSTEM 

This invention relates to a public key encryption scheme and to a method of 
encrypting and/or decrypting using public key encryption. 

In 1998 Cramer-Shoup (CS) (Cramer, R. and Shoup, V. A practical public key 
cryptosystem provably secure against adaptive chosen ciphertext attack, CRYPTOV8. 
LNCS 1462, pg 13-25. Springer-Verlag, California, 1998) presented a new El-Gamal 
style (El-Gamal, T. A public key cryptosystem and signature scheme based on 
discrete logarithms. IEEE Trans. Inform. Theory, 31, pg 469-472, 1985) public key 
encryption scheme that was the first efficient and provably secure scheme based 
solely on standard intractability assumptions. The contribution of CS was their 
scheme was efficient and yet did not rely on the random oracle (RO) assumption (see 
Bellare, M. and Rogaway, P. Optimal asymmetric encryption - how to encrypt with 
RSA.EUROCRYTPV4. LNCS 950, pg 92-1 1L Springer-Verlag, 1994 for more 
information on random oracles). However, schemes that rely on the RO model, are 
still more efficient than the CS scheme. Recent improvements to CS (see for example 
Shoup, V. Using hash functions as a hedge against chosen ciphertext attack. 
EUROCRYPT'OO. LNCS 1807, pg 275-288. Springer-Verlag, 2000 (this is actually a 
key encapsulation scheme)) have increased its efficiency, but not to the point where it 
can compete with the best RO schemes. 

Using the RO model or standard assumptions for a proof of security, represent 
opposite ends of the provable security spectrum. The RO model yields extremely 
efficient (see Bellare above) schemes yet practical implementations using hash 
functions cannot hope to achieve actual RO's. At the other end of the spectrum are 
the standard intractability assumptions, they give us much more confidence in 
security, yet the schemes that are available are still too inefficient (at least compared 
to RO schemes) for the majority of practical implementations. 

It is an object of the present invention to address the above disadvantages to seek to 
provide a cryptosystem having more practical implementation together with more 
provable security. 
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According to a first aspect of the present invention a public key encryption scheme 
using a private key, z, and a public key, h, comprises the encryption of a message, m, 
within a ciphertext, wherein an element of the encrypted ciphertext containing the 
message is formed by a message product of a variable, 6, based on the public key, h, 
and an output of an invertible deterministic method, x, operated on at least the 
message, m ? and a hash, H, of at least the message. 

The ciphertext preferably includes at least one random element, ui- 

Preferably, the invertible deterministic method is operated on the message, m, an 
index, j, of the hash and a hash, H, over both the message, m, and at least one random 
element, ui, preferably two random elements ui, u 2 . 

The variable, e, based on the public key is preferably the public key, h, raised to the 
power of a random number, r. 

The ciphertext may be decrypted using a private key, z, the at least one random 
element ui, the message product, and the invertible deterministic method, ?r. 

The invertible deterministic method, % may be operated on a check for the 
decryption. The check may be the hash, H, over at least the message, m. Preferably, 
the hash, H, for the check is over the message and at least one random element, ui. 

Preferably, the message product is represented by £.M, where £ = h r (r is random) and 
h = gi z , where g\ is a first generator, z is a randomly chosen private key and M = ir 
(m, j, t) where x is the invertible deterministic method, m is the message, j is a 
random index of the hash and t = Hj (m, g\\ g 2 I ), where Hj is the j th hash and g 2 is a 
second generator. 

The invertible deterministic method may be a squaring. 

The ciphertext preferably includes said at least on random element, Ui, preferably both 
random elements, ui, u 2 . 



At least one of said random elements, Ui, is preferably used to decipher the ciphertext, 
in conjunction with the private key, z, to determine the output, M, of the invertible 
deterministic method, tt, which output is then preferably inverted to give an original 
input and hence the message, m. 

According to a second aspect of the present invention a public key 
encryption/decryption method makes use of a ciphertext that includes a check 
element, t, wherein a check made during decryption is a hash, H, over at least the 
encrypted message, m. 

Preferably, the hash, H, is over the message, m, and at least one random element, uj, 
preferably two random elements, Ui, u 2 . 

The invention thereby advantageously relies on the collision-free aspects of a hash. 
The hash may be SHA-1 . 

According to a third aspect of the present invention a public key encryption method 
includes creating a ciphertext requiring at most 4 exponentiations to encrypt, 
including exponentiations for each of at least two random elements, m, U2 and an 
exponentiation for a public key, h, wherein a message for encryption does not require 
an exponentiation to encrypt. 

The method preferably includes 3 exponentiations, being for a first random element, 
Ui, a second random element, U2> and for the public key, h. 

The method advantageously requires fewer exponentiations than previous methods, 
whilst still being provably secure, thus having a significantly lower computational 
overhead compared to previous methods. 

According to a fourth aspect of the invention a public key decryption method includes 
decrypting a ciphertext with at most 2 exponentiations, including an exponentiation 
using a private key, z, to allow recovery of an encrypted message, m. 



Preferably, only one exponentiation is required. 
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The method advantageously requires fewer exponentiations than existing methods, 
whilst still being provably secure. Thus there is a significantly lower computational 
overhead involved in decryption. 

According to a fifth aspect of the invention a public key encryption/decryption 
method involves creating a ciphertext and decrypting the ciphertext, in which a public 
key requires no more than 3 group elements and a private key requires no more than 
one group element, whilst still providing a provably secure method. 

The invention extends to a message encrypted according to any one of the previous 
aspects. 

The invention extends to a recordable medium bearing a ciphertext encrypting a 
message encrypted according to the previous aspects. 



m The invention extends to a computer operable to perform any of the previous aspects. 



f|J The invention extends to a recordable medium bearing a computer program operable 

to perform any of the above aspects. 

All of the features described herein may be combined with any of the aspects or parts 
of the invention as set out above. 



A specific embodiment of the present invention will now be described with reference 
to the accompanying drawing, in which: 

Figure 1 is a schematic diagram of the encryption and decryption of a message. 

Below is described a new public key encryption scheme, which starts to bridge the 
gap (discussed in the introduction above) in efficiencies of practical implementation 
of such encryption, while still having its security rely solely on standard intractability 
assumptions. Compared to the CS scheme mentioned above, this new scheme has a 
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similar communication overhead but requires only 4 exponentiations in total (for both 
encryption and decryption) compared to 8 for the most efficient (pure public key) 
version of CS. In terms of offline storage, if CS and the new scheme are used in the 
same group, then CS requires 5 group elements to represent its public key and 5 for its 
private, whereas the new scheme requires 3 for its public key and 1 for its private. 
Thus the contribution of this invention is to present a provably secure public key 
encryption scheme based on standard intractability assumptions, where the efficiency 
of the scheme rivals those schemes that rely on the random oracle modeL 



Figure 1 shows an encryption module 10, which forms part of a first computer 12. 
The encryption module 10 operates a computer program to encrypt a message 14 in a 
p ciphertext 16, The message 14 encrypted in the ciphertext 16 is then transmitted or 

O passed to a third party for decryption with a computer program running on a 

(0 

f : \ decryption module 1 8 of a second computer 20. 

H 

m 

III The implementation of the method described herein is applicable to all types of public 

ii 

p key encryption already in use, for example the transmission of messages and data 

si* f 

y securely over computer networks, either local networks or global networks (such as 

HI 

Iff the internet). The method can be used as a computer program and operated on a 

pj 

5j message to be encrypted and then decrypted by a user with the relevant key, as is well 

known in the art. 



1.1 Notation 

We use standard notations and conventions for writing probabilistic algorithms and 
experiments. If A is a probabilistic algorithm, than A(x\ 9 x 2 , r) is the result of 
running A on inputs x\ 9 x 2 , ... and coins r. We let y 4- A(x\, x 2 , .-.) denote the 
experiment of picking r at random and letting y be A(x u x 2 , r). If S is a finite set 
then x «- S (or x e R S) is the operation of picking an element uniformly from S. 

If b is a bit then b is its complement. {0,1}* is a binary string of arbitrary length and 
{0,1 } 7 is a binary string of length /. The length of a string x is denoted by and the 
concatenation of strings x andy is denoted by jt||y. The zth bit of x is denoted by Xg and 
the substring of x from jc/ to x,-, where / < y, is denoted by X[t,j\, 
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A function /: N -» R is negligible if for every constant c > 0 there exists an integer k c 
such that /(*) < k" c for all k > k c . 

1.2 Definitions 

Industinguishability of encryptions against an adaptive chosen ciphertext (IND- 
CCA2) adversary is the standard accepted notion of security for a public key 
encryption scheme. The basic idea behind an IND-CCA2 adversary is they are given 
access to an encryption and decryption oracle, they then choose two messages, one of 
which gets encrypted (they do not know which). They are then presented with the 
ciphertext of the encrypted message and asked to determine which of the two 
messages was encrypted. They must succeed with probability non-negligibly better 
than Vz. The only restriction is the adversary may not query the decryption oracle 
with the challenge ciphertext. 

We consider the adversary A as running in two stages, a 'find' stage and a 'guess' 
stage. The find stage is responsible for finding the pair of messages (it will also 
output some state information s) and the guess stage is responsible for determining 
which message was encrypted in the challenge ciphertext. 

A formal definition of IND for any type of attack is given in Definition 1, but for a 
more complete treatise on this area see Bellare, ML, Desai, A., Pointcheval, D., and 
Rogaway, P. Relations among notions of security for public-key encryption schemes. 
CRYPTO'98. LNCS 1462, pg 26-45. Springer-Verlag, California, 1998. For example 
other types of attack are CPA and CCAI 3 see below for definitions. In the definition 
is a probabilistic key generation algorithm, Si:) is a probabilistic encryption 
algorithm, Z>{ ) is a deterministic decryption algorithm and #(-) is an oracle. The 
public and secret key are represented by pk and sk, respectively. 

Definition 1 [IND-CPA, IND-CCA1, IND-CCA2] Let 77= {X£Z>) be an encryption 
scheme and let A be an adversary. For atk e {cpa, ccal, cca2) and k e N let 



Advantage™^"* (k) = 2 ■ ?r[(j>k,sk)*--x(l k ); {x 0 ,x t ,s)<- A 6 ' (find y pk);b «- {o,l} ; 
y <~ B pk (x b ) : A* 2 (guess,x 0 ,x x ,s 9 y) = 1 

where 

If = cpa then = and 0 2 (-) = 

If a* = cca/ then = Z> sk () and 0 2 (-) = ««// 

If atk = cca2 then $i (•) ^ 2> S k(-) and 0 2 Q = 2? S k(0 

It is insisted that >4(find, •) outputs jco, xi with |x 0 | - M- ^ & e case of CCA2, it also 
insisted that (guess, •) does not ask its oracle to decrypt y. We say that i7is secure in 
the sense of IND-ATK if A being polynomial-time implies that Advantage™^"* (•) is 
negligible. 

2 The Basic Scheme 

We encrypt messages m e {o,lf~ 2k and also require a hash function H y :{o,l}* -> {o,l}* 

chosen from a family of universal one-way hash functions indexed by j. All 
operations are performed in the group G of order q (q is a large prime) in which there 
exists two generators g\ and g 2 . There also exists some (invertible) deterministic 
method to encode a message as an element of G. 
The private key is a randomly chosen z e Z q and the public key is h = gi z . 

Encryption. We choose r€RZ g j6R Z 2 * and compute s~K y t = H/m, gj r , g 2 r ) and 
Af = x(mjj) . The ciphertext is then 

(Wl, «2, e) = (g\ y g{, £ • M) 

Decryption. To decrypt (m, u 2 , e) we compute £r = wf ? M -~ and recover the 
message from m ? >, t - n~ l (m) . Finally we check 

If this holds we accept the message otherwise we reject. 



If the group G is chosen to be the set of quadratic residues a possible encoding 
method xty would be simple squaring (given m \\j || t was interpreted as an element 
of Z p modulo a large prime p of the form 2q + 1). Then in step 2 of the decryption, if 
neither square root yields a correct hash then the output is also 0. 

The scheme described above has significant advantages over the Cramer Shoup (CS) 
scheme because the number of exponentiations (a good guide to computational 
overhead) is only three in the encryption {e = h\ gi\ and g 2 r ), whereas in CS 5 
exponentiations are required (g/, g2> e = h r m and v = c r d ro ). 

In decryption the present scheme requires one exponentiation for decryption (e = U] Z ), 
whereas CS requires three (u^, u?+* a , and u x 2 ^ a ) 

Consequently, the present scheme requires four exponentiations whereas CS requires 
eight to encrypt and decrypt; this represents a halving in the computational overhead 
of the present scheme when compared to CS. 

In addition, the security is provable (see below) in the present scheme to a level that is 
comfortably within the definition of negligible. 

In the present scheme reliance is made on the collision free properties of the hash 
function to provide the check. CS uses a hash in the check (two times in fact), but it 
is within the complex checking equation u? +y * a u x 2 2+y2a = v . A hash function on M, U! 
and u 2 in the present scheme provides greater simplicity with good security and a 
computational overhead benefit, as discussed above. 

In the following a proof of security is given. Although such a proof is beneficial it is 
not necessary to have the proof to implement the scheme; it is merely a confirmation 
of the security given by the scheme. 
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3 Proof of Security 



3.1 DDHP 

All the proofs rely on the difficulty of the Decision Diffie-Hellman Problem (DDHP), 
the definition of which, from Cramer, R. and Shoup, V. A practical public key 
cryptosystem provably secure against adaptive chosen ciphertext attack. CRYPTO'98. 
LNCS 1462, pg 13-25. Springer-Verlag, California, 1998 is given below. 

Definition 2 - [Cramer Shoup (above), pg. 16] Let G be a group of large prime order 
q, and consider the following two distributions: 

- the distribution R of random quadruples (g\, gi> u\,ui)<a<?\ 

- the distribution D of quadruples (g u gi, u u w 2 ) e G 4 , where g u gi are 
random, and u\ = g\ and u 2 = g{ for random r e 7L q . 

An algorithm that solves the DDHP is a statistical test that can effectively distinguish 
these two distributions. 

3.2 The full scheme 

We will prove the security of the basic scheme by proving the security of an 
equivalent cryptosystem; a 'full' version of the basic scheme, this is presented below. 

The full scheme encrypts messages m e {0,l}"" 2 * and requires a hash function 
H/ ;{o,l}* -» {0,l}* chosen from a family of universal one-way hash functions indexed 
by j. All operations are performed in the group G of order q (q is a large prime) in 
which there exists two generators g x and g 2 . There also exists some (invertible) 
deterministic method /r( ) to encode a message as an element of G. 

The private key is two randomly chosen elements z u z 2 e Z q and the public key is 

Encryption. We choose r £r Z q J e R Z k and compute £ = h r ,t = H/w, u u u 2 ) and 
M = 7r(m,j\ t) . The ciphertext is then 

(uuU2,e) = (g\ r ,g2\sM) 



Deoyption. To decrypt (u u u 2 , e) we compute s = upu} 9 M = — and recover the 

€ 

message from m, 7,/ - (m) . Finally we check 

t = H/m, u u n 2 ) 

If this holds we accept the message otherwise we reject. 
33 Reducing the full scheme to the basic scheme 

We show that the security of the full scheme implies the security of the basic scheme. 
Let B be an IND-CCA2 adversary with an advantage in breaking the basic scheme. 
We will use B to construct an IND-CCA2 adversary A with an advantage in breaking 
the full scheme. The basic idea behind this reduction is that B will be given a public 
key of the form g?g z 2 2 , instead of gf, but B will not be able to tell the difference and 
this allows A to use B's advantage. 

We now define adversary A. A can run in two stages, a 4 find' stage and a 'guess' 
stage. The find stage is responsible for finding a pair of messages to distinguish (it 
will also output some state information s) and the guess stage is responsible for 
distinguishing which message was encrypted in the challenge ciphertext. Let V A (-) be 
the decryption oracle that A has access too. 

Algorithm ^(find, g u g 2y h, q 9 G) 
Run 5(fmd, g u g 2 , h, q, G) 

When B makes a decryption query, y\ respond with 

B returns (m 0 , m u s) 
A returns (m 0 , m u s) 

Algorithm^ (guess, m 0 , m u s 9 y) 
Run #(guess, m 0 , m u s,y) 

When B makes a decryption query, y\ respond with 
m<r-V A (y f ) 
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B returns b' 
A returns b ' 

Any valid ciphertext that B produces will be of the form ^,u 2 ,(g^ g z 2 2 ) m) since B 
encrypts with public key fc = gf'g? , hence any valid ciphertexts can be passed to 
Z> A ( ) and will be correctly decrypted. It follows that if B has an advantage then so 
does /I. 

3.4 The Hash function 

We shall recall some results from Carter, J.L., Wegman, M.N. Universal Classes of 
Hash Functions. Journal of Computer and System Sciences, 18, 143-154 (1979) about 
universal hash functions. 

Let all hash functions map a set A into a set % (and assume M > |S|). If H is a hash 
function and x,y e /t, we define 

[1 if ;c*yandH(;c) = H(y) 
S ^y ) = \0 otherwise 

If Sn(x, y) = 1 , then we say x and y collide under H. 

Let ^ be a class of functions from s4to We say that 1¥ is universah (the subscript 
indicates pairs) if for all x, y in ^, 5^x, y) < \&\A%\ • That is, # is universal if no pair 
of distinct keys collide under more than (l/|^)th of the functions. 

We will now recall the proposition from [Wegman and Cater] that we require for this 
paper. 

Proposition [Wegman and Cater (above), pgl46] - Let x be any element of /land S 
any subset of A Let H be a function chosen randomly from a universah class of 
functions (with equal probabilities on the functions). Then the mean value ofS H (x, y) 
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Hence in this paper we are careful to use a hash function that is randomly selected 
from a class of universal one-way hash functions, thus making the probability of 
finding a collision, in the absence of any other information, 

Of course for the sake of correctness of the proof of security a universal one-way hash 
function should be used, but practical security is unlikely to be compromised by the 
use of more 'off-the-shelf hash functions like SHA-1, and so these could be used in 
an implementation of the scheme. 

3,5 Sketch of the proof of security 

Now we show that the full scheme is secure against an 1ND-CCA2 adversary. First 
we give the construction of the proof (which is the same as that of CS). It is assumed 
there exists an adversary A that can break the full scheme in the IND-CCA2 sense and 
then we show how this adversary can unwittingly be used to help solve what is 
considered a computationally unfeasible problem, in this case the DDHP. 

The proof requires the construction of a simulator. Quadruples from either D or R 
(but not both) are input to the simulator, which is then responsible for, the creation of 
keys, simulation of an encryption oracle and simulation of a decryption oracle. The 
adversary receives all its information, including oracle queries, from the simulator. 

The proof runs as follows. A quadruple is input and the simulator creates a valid 
secret key and public key. The simulator runs the find stage of A, and A returns two 
messages, mo and m\. The simulator then runs the simulated encryption oracle which 
chooses a random bit b e {0, 1} ? encrypts m b and outputs the challenge ciphertext. 
The adversary cannot see the simulated encryption oracle's choice for &. 

The simulator then inputs the challenge ciphertext to the guess stage of the A, and A 
outputs its guess, b\ for the random bit. Both the simulator and the adversary pass b 
and V respectively to a distinguisher that outputs 1 if b = V otherwise 0. 

When the input quadruple comes from R, the adversary A cannot succeed in guessing 
b with any advantage. Alternatively, when the input comes from D, then the 
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simulator creates a perfectly valid ciphertext and A cm guess the bit b with its 
advantage. 



Hence by observing the distribution ofO'sand l's that are output by the distinguishes 
it can be determined which distribution the quadruples are coming from. If the 
quadruples are coming from R then l's will occur with probability 54 and O's with 
probability 54. The adversary will only be correct half the time, as it has no 
advantage. If the quadruples come from D then the adversary has an advantage and 
l's will occur with probability 54 + a (where a is the adversary's non-negligible 
advantage) and O's with probability 54 - a. 

Hence, by observation of the output distribution, one has a statistical test for the 
DDHP. 

3.6 IND-CCA2 security far the full scheme 

Theorem 2 - If the Diffie-Hellman Decision Problem is hard in the group G, then the 
scheme is secure against an adaptive chosen ciphertext attack. 

First the simulator is described. On input the DDH quadruple (g u g 2 , U\ 9 u 2 ) the 
simulator randomly chooses two private keys z u z 2 e Z q and outputs the public key as 



The simulator simulates the encryption oracle as follows. On input two messages mo 
and m x it selects a random bit b e [0, 1], a random number j e R Z k and computes: 



The simulated encryption oracle outputs the ciphertext (w b u 2 , e). 

The simulated decryption oracle simulates the decryption algorithm as follows. On 
input (u u u 2 , e) it computes: 



mJ 9 t = K-\M) 

If H(mj 9 u l9 u 2 ) = t the simulated decryption oracle outputs m, else it outputs 0. 
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The aim now is to show that when the input comes from D the simulator simulates the 
encryption and decryption oracles perfectly (probabilistically) and the advantage of 
the adversary is apparent at the distinguishes Alternatively, if the input comes from 
R then the aim is to show that the adversary can have no advantage in guessing b. 

The theorem follows from the following two lemmas. 

Lemma 1 - When the simulator's input comes from D, the simulator simulates the 
encryption and decryption oracles perfectly. 

The output of the simulated encryption oracle is exactly the same as the output of the 
real decryption oracle as u^ l u z 2 - = g? l g? 2 = {gxgl z ) =h r and so the ephemeral key is 
the same for both oracles. 

If the simulated encryption oracle produces an indistinguishable output from the 
actual encryption oracle (true since the ephemeral key has the right form and 
otherwise the simulation is identical in computation to the real oracle), and the 
simulated decryption oracle behaves in the exactly same way as the actual decryption 
oracle (they are also identical), then the adversary's view is indistinguishable from 
their view in an actual attack. 

Lemma 2 - When the simulator's input comes from R 9 the distribution of the hidden 
bit is (essentially) independent from the adversary's view. 

When the quadruple comes from R we have u x = g[ l and u 2 = gv 2 . We will show that 
the adversary's view is independent of the hidden bit b by showing that if no 
information about the secret keys is leaked, then the challenge ciphertext is equally 
likely to be the encryption of mo or mi, or in fact any message. 

Assuming the simulated decryption oracle only decrypts valid ciphertexts, we now 
show that no information about the secret keys is leaked by a valid ciphertext. 
Consider the following equations from the public key and a valid ciphertext. 
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log/z = Zj + wz 2 

logs = rlogh = rzj +rwz 2 

Where g 2 = gi w and log refers to log^ . Clearly they are linearly dependant and leak 

no information about z\ or Z2. 

Now consider the output of the simulated encryption oracle, here we derive the 
following equation. 
log£ = r x z x + r 2 wz 2 

We can arrange this and the public key equation as a set of linear equations. 

1 >vrj[zj [logs] 

The determinant of the matrix is non-zero w(r 2 - n) 9* 0, and so these equations have a 
solution zi and z 2 for a/iy s y making its possible values a permutation on G. 

This means a hides M*, as for every possible Mb there is an a consistent with e (e is 
fixed), and that a can be constructed from a pair of secret keys z\ and z 2 that are 
consistent with the public key. 

Hence there exists an a that decrypts the challenge ciphertext e to any M. M could be 
any element of the group, but in fact it may be invalid in the sense of not satisfying M 
= n(m 9 j\ t) for any possible mj and t y or if it satisfies M = n(m,j\ t) for some m y j and 
t then the relation t = H(m,y, wi, W2) may not be satisfied. The probability of choosing 
an ^ that decrypts e to an invalid M depends on ti(-), and we can say without loss of 
generality that for all 'good' choices of tu(-) (see section 2 for a suggestion), the 
probability that an adversary guesses a correct a is 0(2®)/q, as there will be 0(2 M ) 
valid M for a specific message. If, for example, n( ) performed a one-to-one mapping 
from its input to group elements then (for the IND-CCA2 game) there would be 2 m 
valid M s. For an appropriate j/j it is a computationally infeasible problem to guess a 
correct a. Importantly, all messages have 2^ valid Afs, hence an adversary has an 
equal chance of finding an a that gives a valid M for any message, and specifically an 
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equal chance of finding an M giving m 0 or m u and so the adversary can have no 
advantage in distinguishing between them. 

The above argument relies on the simulated decryption oracle rejecting all invalid 
ciphertexts; otherwise information about z\ and z 2 may be leaked. Let a valid 
ciphertext be (u u u 2 , e\ and an invalid one be (u\, u 2 , e% We consider possibly 
ciphertexts submitted to the simulated decryption oracle. 

1) {u\\ w 2 \ e). If ii\ or u 2 (or any combination thereof) is changed, then if the 
resulting ciphertext was decrypted by the simulated decryption oracle this would 
violate the collision property of the universal one-way hash function. If the 
universal one-way hash function was chosen at random then there is only a 
negligible chance (in the size of the output of the hash) that a collision can be 
found (see section 3.4). 

2) (u u u 2 , e'). The ephemeral key depends only on u\ and u 2y and we know these are 
unchanged, so the same ephemeral key as was used to encrypt will be calculated 
by the simulated decryption oracle. When e' is divided by the ephemeral key, a 
multiple of M will be the result, call it aM. An upper bound on the number of 
possible valid ATs is 2 W+W , a is chosen from the group, which has size q y which 
upper bounds the probability an adversary can guess an a that creates a valid M 
(with a message that is more than likely unrelated to m b ) as 2 w+w /$r. If these 
parameters are chosen correctly this probability is negligible. 

The adversary will attempt to do better than just guessing. However, without 
knowing j an adversary cannot hope to reproduce or modify e to e r in any way 
better than guessing, to cause the simulated decryption to decrypt e\ 

3) (n } \ u 2 , e'). This case is similar to case 2). Now (essentially) any e f is 
valid as long as u{ and u 2 cause the hash check to pass, but this represents a 
worse probability of success than case 2) as with the lack of any other information 
the probability of success is l/q 2 . 

Thus, the simulated decryption oracle will reject all invalid ciphertexts, except with 
negligible probability. 
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Hence if the DDHP is a computationally unfeasible problem then an IND-CCA2' 
attacker for the foil scheme cannot exist. 

4 Conclusion 

A new scheme was created which was shown to be provably secure against an IND- 
CCA2 adversary. The advantage of this new scheme is that it is roughly twice as 
efficient as CS in terms of computational overhead and has similar communication 
overhead, and that its proof relies only on standard intractability assumptions (it does 
not require the RO assumption). 
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